WhatsApp security flaw exposes phone numbers of 3.5 billion users

WhatsApp is under scrutiny after researchers uncovered a security failure that exposed the phone numbers of around 3.5 billion users worldwide. According to reports, automated systems pull user details by simply checking number availability.

According to the research team from the University of Vienna, the issue has existed since 2017, but Meta has not acknowledged it publicly until now. 

The app’s contact discovery function is the source of this vulnerability. This discovery has raised concerns because WhatsApp is one of the most used apps and is trusted for private chats and personal communication by people. Experts say such exposure of phone numbers in large numbers increases risks around privacy, spam, and targeted scams.

Researchers view the profile photos of the 3.5 billion WhatsApp users

While searching for flaws in WhatsApp’s end-to-end encryption system, Austrian researchers discovered that the platform lacks rate-limiting protection to prevent abuse of its feature that checks whether a number is registered on WhatsApp. 

Within just half an hour, they were able to extract 30 million WhatsApp numbers registered in the US by exploiting this flaw. By the end of their research, they had collected the WhatsApp numbers of 3.5 billion users worldwide.

Approximately 57% of the 3.5 billion WhatsApp users had their privacy settings configured to display their profile picture to everyone. As a result, the researchers were easily able to collect their profile photos as well. They could also view the profile text of 29% of these 3.5 billion WhatsApp users.

According to the researchers, if this technique were to be exploited by malicious actors, the results could be among the largest data leaks on record. Following this test, they deleted all the data they collected and contacted Meta with their results.

In response, Meta stated that active work was going into stronger protections against large-scale scraping and that the findings helped improve those systems. The company also claimed it had found no signs of criminals using the flaw.

Cybersecurity experts have advised users to set profiles to private, not to put personal details in ‘About’, and to limit status sharing. For businesses, experts advise users to use the secure features of WhatsApp Business API. Now, privacy is also the user’s responsibility.

Meanwhile, Meta has introduced a tool called the WhatsApp Research Proxy to help security researchers examine the messaging platform’s network protocol more effectively. Initially available to a select group of long-time bug bounty participants, the company said it helps simplify investigations into WhatsApp’s infrastructure.

WhatsApp introduces multi-account support to iPhone testers

WhatsApp is introducing a feature for iOS that allows users to manage multiple accounts on a single device. Currently in beta testing, the feature is available to select users via TestFlight. According to reports, the feature is meant to simplify account management.

Additionally, users will be able to reconnect their old accounts that they have been using on WhatsApp Business. As soon as the account is linked, all chat and preferences are synced automatically.

Meanwhile, the court has sided with Meta, dismissing the antitrust case brought by the Federal Trade Commission (FTC). The ruling, described in an email sent to NPR, was seen as recognition of the strong competition in the sector. 

The case was filed five years ago and stemmed from an investigation that began during the Trump administration. It argued that Facebook, later renamed Meta, had pursued a “buy or bury” strategy by acquiring Instagram in 2012 and WhatsApp in 2014 to eliminate competitors and strengthen a monopoly in the social networking market. 

The FTC asked the court to demand that Mark Zuckerberg separate the two apps into independent entities to promote competition and provide users with greater choice.

If you're reading this, you’re already ahead. Stay there with our newsletter.